CERT announced yesterday that OpenSSL, the Open Source library responsible for implementing Secure Sockets Layer (SSL), has a number of vulnerabilities in the latest versions. These issues can allow any attacker to remotely crash OpenSSL, stopping any other services that depend on the library.

Dubbed vulnerabilities VU#288574, VU#484726, and VU#465542, both OpenSSL versions 0.9.6 and 0.9.7 are affected by different issues. Both versions have a null-pointer assignment coding flaw. 0.9.7 contains a flaw in the Kerberos implementation, and 0.9.6 “does not properly handle unknown SSL/TSL message types.”

All OpenSSL users are urged to upgrade as soon as possible to prevent widespread Denial-of-Service attacks.

ERIC'S OPINION
SSL forms the backbone of more services than you might imagine. Secure Web transactions top the list, but IMAP, POP3, SMTP, and LDAP all depend upon it as well. There are a lot of common third-party apps using it, and all of them can fall victim to someone crashing OpenSSL.

The good news is that patches are now available; the bad news is that you have to go back and regression test everything–but we all ought to be used to that by now.

USER COMMENTS 18 comment(s)

Hmmmmm(6:54pm EST Fri Mar 19 2004)Call me when it effects SSH.

– by Rax

Work around..(8:42pm EST Fri Mar 19 2004)CERT have announced work-arounds to the problem. -If you remain effected by the vulnerability, you may optionally actually get off your fkin ass and go to the shop and purchase your consumer goods over the counter like we used to!!

I'm waiting for a service that allows me to SSH into MegaMart Corps., product database and SCP items into a trolley.

– by lUNIX buff

Work around…(7:18am EST Sat Mar 20 2004)CERT have anounced work-arounds to the problem. -If you remain effected by the vulnerability, you may optionally actually get off your fkin ass and go to the shop and purchase your consumer goods over the counter like we used to!!

I'm waiting for a service that allows me to SSH into MegaMart Corps., product database and SCP items into a trolley.

I use SSH everyday so I need to know if this will effect it. Your dumb comment was just stupid.

My comment was a request for knowledge. It was in no way a slam on your god Microsoft or a coverup for Linux.

Next week when you bring your body to geek.com, don't just bring half your brain.

– by Rax

Like I said(10:17pm EST Sat Mar 20 2004)Like I said, Rax, you never change. You also never learn, and that is your downfall. To you, anyone who doesn't immediately claim Linux is the end-all-be-all God of OS's must therefore be a Microsoft heretic. I pity you that you're so insecure on something so insignificant. Microsoft is far less my God than Linux is yours, but you'll never accept such a truth. – by J. Eric Smith

U Dont know…..(2:36am EST Sun Mar 21 2004)I dont get what the big deal is, i mean theres been flaws like this since the beginning. An exploit came out about a month ago explaining that one could send an email with arbitrary code attached to the header, and the server would reject the email, but not before accepting the arbitrary code. You see, i am a rambling shit head and lijie sucks my ding dong. I would like to shove my penis in his mothers mouth for giving birth to him. i didnt take the time to read this article and i hope i never do.. because i would love to get banned for this…. dum de dum dum dum.. well getting kinda bored with this, cant wait to see the responces to this peice of art.. later shit heads… luv u lijie XOXOXOXOXOXOXOXOXO – by Ace

Re: J. Eric Smith(11:32am EST Sun Mar 21 2004)OpenSSH is still pretty secure even with this minor flaw that is now fixed.– by *nix more secure

Re:J. Eric Smith(9:30pm EST Sun Mar 21 2004)Once again you prove that your comments are dumb and stupid. You would need to gain 10 IQ points to be called ignorant.

” To you, anyone who doesn't immediately claim Linux is the end-all-be-all God of OS's must therefore be a Microsoft heretic. “

I would like for you to prove this statement. You can use all of my former comment. I would like to know where I claimed Linux to be a God.

You are such a jerk that you seem to want to make an foe out of anyone that disagrees with your ALMIGHTY opinion.

Eric the Ignoramus Smith. It has a nice ring to it. You should go for the ten points.

– by Rax

Linux bugs are always smaller than Windows bugs…(10:12pm EST Sun Mar 21 2004)I here this every time. Whenever there is a Windows bug the world is coming to an end! Whenever there is a Linux related bug its always “a minor flaw”! Sheesh…

Rax stop getting so personal. Your first comment was just trolling and Eric you played right into, dont get into arguments, please. Eric dont get offended but you need to just ignore comments which wind you up. Stick to moderating the discussion, your current comments of late seem to be attracting hate messages. Which is never good. – by RANT OVER

I guess it would be heretical of me to point out that all of these flaws are *application* level flaws, not OS flaws. If you want to start slinging mud about meandering applications causing Windows problems, I can start listing all the bugs, exploits, crashes, and errata associated with the RPM's found in standard Linux distributions.

What you guys never seem to grasp is that I'm not pro-Windows or anti-Linux. I think they both have their pros and their cons. Nobody minds when I post the pros, but everybody whines when I post the cons — no matter who the con applies to.

It is quite a pity when people like Rax and *nix More Secure are so incapable of handling criticism that they're forced to resort to namecalling, lies, and FUD in order to push their agenda. I'll keep on telling the truth — both the good truth and the bad truth — about all of it in the hopes that some of you out there can gain some knowledge from it. – by J. Eric Smith

If you did not like my comment just ignore them. I did not direct them to you anyway.

– by Rax

Re:RANT OVER,D.ddd,Amadeus(11:58pm EST Mon Mar 22 2004)I am sorry if I offended you. My first comment was not meant to stir up anything at all. Eric just seems to want to attack anything I say on this forum and sometimes I get sick of his crap. He is not any smarter than anyone here, he is just a guy that picks the news and puts up an opinion first.

I want you to note that I did not get personal until long after he did.

Am I the Linux Zealot he claims I am?Or do I just want Microsoft to give fair value for our money?